Let’s Encrypt is one of the most popular methods of installing an SSL certificate for free. It is well known that SSL certificates gain customer trust, as well as improving a website’s ranking in the search engines. Installing a Let’s Encrypt SSL certificate on an AWS AMI Instance requires a few commands to be run on the instance.

It is assumed that you have a website already configured on the instance and installed the relevant components as mentioned in the configuring a PHP website on AWS post.

To start with, ensure that you have installed Apache’s mod_ssl module on the instance. This can be done by running the following command.

$ sudo yum install mod24_ssl

To install a Let’s Encrypt SSL certificate using the Certbot client, firstly the client must be downloaded. The client can be installed using the following commands.

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto

This will download a certbot-auto file onto your instance.

To begin installing a Let’s Encrypt SSL, run the following command.

$ sudo /path/to/certbot-auto --debug

Some further packages will be installed, and you will be prompted to enter an email address for any urgent renewal and security notices.

Assuming no error currently exists, continue on and you will be prompted on whether a redirect from HTTP to HTTPS should be put in place.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Choose you option and the SSL certificate should be installed! You’ll note that Certbot creates a yourdomain.co.uk-le-ssl.conf file within the /etc/httpd/conf.d directory that contains the vhosts configuration for HTTPS.

Let’s Encrypt certificates last 90 days, and therefore needs to be renewed from time to time.

You can configure automatic renewals on the instance’s crontab. For example, to renew an SSL certificate every day at 1am, you could configure the following command within the crontab.

0 1 * * * /path/to/certbot-auto renew --debug

Remember, there are rate limits set by Let’s Encrypt, so don’t run renewals too frequently or have too many certificated per registered domain. To find out more about rate limits, click here.